Support for SEP for Mac and Active Directory

Article:TECH132795  |  Created: 2010-01-28  |  Updated: 2013-02-25  |  Article URL
Article Type
Technical Solution


Does Symantec support the import of Macintosh Active Directory objects into the Symantec Endpoint Protection Manager (SEPM)?



Macintosh computers that are Active Directory members may not appear correctly in the SEPM in imported OU.



As of SEP 11.0 RU6: Importing AD objects (Macintosh computers) into the SEPM was not tested since we do not support pushing Macintosh client package from the SEPM or finding unmanaged Macintosh computers on the network. The steps provided in Solution below are provided below for the customer's reference, but are not supported. Apple has a concept of .local domain (DNS domain, not AD domain) in order to distinguish Macintosh-related services that are considered to be part of Intranet rather than Internet, and Apple recommends not to change the default domain .local. Moreover, it would not be advisable for customers to change the domain suffix for all Mac machines in their environment either manually or via a script since it may lead to some undesirable consequences.



This is for technician and customer convenience only. We do not help customers resolve problems in getting Macintosh computers to join an AD domain.

Using Directory Utility

    1. Log into the Apple computer you want to join to the domain (e.g. "mydomain.test") . You must be logged into an account with Administrator access.

    2. Open the Directory Utility, which is located in:
    10.5 (Leopard):
    10.6 (Snow Leopard):

    3. If necessary, click the padlock and enter your password to unlock the Directory Utility.

    4. Click the checkmark next to Active Directory to enable Active Directory support.

    5. Highlight Active Directory and click on the Pencil icon in the lower-right hand of the directory list to configure the Active Directory connection.

    6. Enter in the FQDN for the Active Directory domain under Domain ("mydomain.test").

    7. Enter in a computer name under Computer ID.

    8. Click Bind.... A prompt will ask you for your network credentials (e.g. Active Directory domain administrator).
    Make sure DNS is configured properly--can you ping the Active Directory domain?

    9. Your machine will be bound to Active Directory.

    10. Click Apply in the Directory Utility to save your changes.

    11. Restart your machine.

Using the dsconfigad Command

    The dsconfigad command can also be used to join a Macintosh to an Active Directory domain. To add the Macintosh to the Computers OU in the "mydomain.test" example, the command syntax is as follows:

    dsconfigad -a machine-name-domain mydomain.test -ou "ou=computers,dc=mydomain,dc=test" -u username

    Items in italics should be replaced with the desired information. The correct domain must also be specified in the ou option, otherwise the command will fail.

IMPORTANT - Verify host name

    Run the hostname command from the Mac OS X command line, and make sure it returns a FQDN including proper suffix for the AD domain of which it is a member. Otherwise, a managed SEP client will be sending the wrong domain information to its SEPM.

    A properly configured DHCP server should provide the Macintosh with the proper suffix, but if necessary change the hostname using the following command:

    (e.g. computer named "bucky" in domain "mydomain.test):

    sudo scutil --set HostName bucky.mydomain.test

    Note TWO dashes before "set" in command. This command is used because the conventional Linux hostname command will appear to work, but the machine name may revert after rebooting.


Supplemental Materials


Macintosh computers that are Active Directory members may not appear correctly in the SEPM, they might be pointing to Default group instead of pointing to their particular OU.

If we create a new group(s) under My Company in the SEPM, and move all the Mac clients to newly created group(s), they can be configured and assigned AV policies as desired.

If we try to move the Mac clients to their default OU, they can't be moved (as per default behaviour)

Legacy ID


Article URL

Terms of use for this information are found in Legal Notices